Offline Analysis of IOS Image Integrity

Forensic analysis of IOS images can be a tricky science, due in part to the diversity in IOS image versions and branches. Between IOS 11 and IOS 12.4, over five thousand different images were built, a quarter of which belong to the 12.2 train. Some IOS trains are in more widespread use than others, just as some hardware platforms are more popular than others, but even when narrowing down by feature-set or hardware, there is a large diversity of images. There are however, some steps that can be taken, both while the IOS device is running, as well as offline, that can help determine the integrity of an IOS image.

The first method that can be used to verify the integrity of an IOS image is to use the verify command, which is built into IOS; the second way is by conducting off-line analysis of an IOS core dump. The first method is covered in detail in the Cisco IOS Image Verification whitepaper. It is included below for completeness.

Built-in Tools

Running the verify command on an IOS device, produces a list of hash values that can be checked against Cisco.com-documented values.

A description of each of these hashes is available in the Cisco IOS Image Verification whitepaper.
•Embedded Hash: MD5 hash stored by Cisco in a section of the Cisco IOS image file during the image build process; used to verify section integrity for the Cisco IOS software image file. This MD5 hash value is calculated for certain sections of the Cisco IOS image file.
•Computed Hash: MD5 hash that the “Image Verification” feature calculates for certain sections of the Cisco IOS software image file when the verify command is executed. This value should be the same as the Embedded Hash to verify section integrity of the Cisco IOS image file. If this value is not equal to the Embedded Hash, the Cisco IOS image file may be corrupted or intentionally altered.
•CCO Hash: MD5 hash for the entire Cisco IOS image file. This hash is computed by the verify command and is not stored in the Cisco IOS software image.

The Embedded and Computed hash values must match. The CCO hash must match the MD5 hash value provided for this image on CCO. It is also possible to verify the has provided for the image on CCO against the image stored on disk, by providing the MD5 hash as argument.

The second method that can be used to verify the integrity of an IOS image, is to write the core to disk for offline analysis. IOS devices can be configured to generate a full copy of its memory (called a core dump) and upload it to a specified location in the event of a crash. Further information on core dumps on IOS devices can be found in the Creating Core Dumps support document.

An organization’s specific policy may require that the memory contents should not be compressed prior to being sent across the wire. If this is the case, simply remove the compress keyword from the first command listed above. However, making use of the compress greatly speeds-up the transfer.

The command write core results in the IOS device dumping its memory contents to disk and uploading it to a remote host if configured to do so.

Please note that generating a core file will have an impact on a production network; it should only be done in a controlled environment.

In order to verify the integrity of the image running on the router, we can extract the text segment from the memory dump, run a cryptographic hash on it, and compare this hash value to that of a hash of the text segment of an image taken in a controlled environment. This implies trust in the memory-dumping process, which may itself be compromised; it is however an initial step.The text segment should be marked RO (read-only) as it contains the instructions to be executed, and these should not be overwritten.

To determine which file corresponds to each portion of the memory output in the show region command, we may look at the core files generated by the write core command, and also compare the file sizes and names with the output of show region:

In this example, the file RTR_20081006-195646 corresponds to main memory.

From this output, we know the text segment resides between address 0x40101040 and 0x42DDA370, and is 46985152 bytes in size. Since show region outputs the virtual memory addresses, we need to look at the translation lookaside buffer (TLB) and map to the address in physical memory. The TLB contains the virtual memory to physical memory mappings.

From the TLB we can see that the translation simply requires changing the 0x4 by 0x0 in calculations. Different tools can be used to extract the text segment from the memory dump, dd is used in this example.

In order to eliminate block errors, we can specify a block size of 1, skip to the beginning of the text segment and provide the value listed under Size(b) in the output to show region as count:

Perimeter Defense

When designing a layered defense no component exists in a vacuum: verifying the integrity of an IOS image is only one component, configuring AAA and logging on IOS devices, and enabling perimeter defense to record connections destined to router interface IPs, are other essential components that facilitate subsequent forensic investigations and post-mortem analyses.

We'd love to hear from you! To earn points and badges for participating in the conversation, join Cisco Social Rewards. Your comment(s) will appear instantly on the live site. Spam, promotional and derogatory comments will be removed.

All comments in this blog are held for moderation. Your comment will not display until it has been approved

Some of the individuals posting to this site, including the moderators, work for Cisco Systems. Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of Cisco. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Cisco or any other party. This site is available to the public. No information you consider confidential should be posted to this site. By posting you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to the Website and release Cisco from any liability related to your use of the Website. You also grant to Cisco a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any original content you provide. The comments are moderated. Comments will appear as soon as they are approved by the moderator.